feat: admin migrate_developer_balance with timelock#546
Merged
greatest0fallt1me merged 1 commit intoJun 27, 2026
Conversation
|
@Songu3020 Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits. You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀 |
4 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
closes #494
Summary
⚠️ Full settlement suite: 146 passed, 3 unrelated pre-existing failures.
⚠️ Workspace tests are blocked by pre-existing vault compilation errors.
⚠️ Clippy and coverage could not run because the installed toolchain reports those components as unavailable/inapplicable.
Adds an admin-only, timelocked workflow for migrating a developer’s settlement balance to a replacement address for compliance recovery.
Changes
Added propose_balance_migration and execute_balance_migration.
Enforced a fixed 24-hour timelock.
Required current admin authorization at both stages, preserving Stellar multisig thresholds.
Snapshotted the approved balance to prevent later credits from being swept unintentionally.
Added checked arithmetic, atomic state updates, and replay prevention.
Added admin_migration_proposed and admin_migration audit events.
Added pending-migration query support.
Documented the workflow, errors, interface, and security semantics.
Restored missing settlement broadcast definitions and repaired stale settlement tests required for compilation.
Security Considerations
Source and destination must differ.
The settlement contract cannot be the destination.
Empty balances cannot be proposed.
Destination overflow safely reverts.
If the approved balance is spent before execution, migration fails without partial writes.
Re-proposing restarts the complete timelock.
Successful execution consumes the proposal.
Testing
✅ 12/12 migration tests pass.
✅ cargo check -p callora-settlement --lib
✅ Settlement release WASM builds successfully.
✅ WASM size: 59,515 bytes, below the 64 KiB limit.
✅ Interface JSON and changed-file formatting validated.
Commit
feat: admin migrate_developer_balance with timelock